Date: June 2012

Two days ago we intercepted a new APT campaign using a new MacOS X backdoor variant targeted at Uyghur activists. The application is actually a new, mostly undetected version of the MaControl backdoor (Universal Binary), which supports both i386 and PowerPC Macs. We detect it as Backdoor.OSX.MaControl.b. Read Full Article

Deep inside one of Stuxnet’s configuration blocks, a certain 8 bytes variable holds a number which, if read as a date, points to June 24th, 2012. This is actually the date when Stuxnet’s LNK replication sub-routines (https://securelist.com/myrtus-and-guava-episode-1/29614/) stop working and the worm stops infecting USB memory sticks. Read Full Article

On the 4th of June 2012 we found 3 APK files of ~207 kb in size each heuristically detected by our engine as HEUR:Trojan-Spy.AndroidOS.Zitmo.a. All these applications are malicious and were created to steal incoming SMS messages from infected devices. SMS messages will be uploaded to a remote server whose URL is encrypted and stored inside the body of the Trojan. We found 3 more APK files with exactly the same functionality on 8th, 13th and 14th of June. So there are at least 6 files which pretend to be ‘Android Security Suite Premium’ but in fact were created only for stealing incoming SMS messages. Read Full Article

Recently, we came by an interesting targeted attack which was evading most antivirus products. This is a recent spearphish targeting various Tibetan and human rights activists. It demonstrates the level of effort put into infiltrating their groups with some unique characteristics, relative to the many other exploits targeting CVE-2012-0158.
Here’s how such e-mails appear:

Microsoft released a set of five bulletins, patching 29 total software vulnerabilities. Multiple remote code execution holes are being patched, but the two most urgent are the Internet Explorer and Remote Desktop Protocol updates. Almost half of the 29 vulnerabilities being patched this month are maintained in versions 6, 7, 8, and 9 of Internet Explorer code, all patched with Security Bulletin MS12-037. Read Full Article

Two weeks ago, when we announced the discovery of the Flame malware we said that we saw no strong similarity between its code and programming style with that of the Tilded platform (https://securelist.com/stuxnetduqu-the-evolution-of-drivers/36462/) which Stuxnet and Duqu are based on. Read Full Article

I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.